[RADIATOR] Problem with pam_radius

Francisco Rodrigo Cortinas Maseda francisco.cortinas at jazztel.com
Wed Mar 30 01:57:36 CDT 2011


Hello,

I have been trying to authenticate users from a linux box (Red Hat ES 4 i386) using pam_radius (1.3.17), and it always fails, with the message "Bad password". I have read some other threads on this list telling that the problem is the secret between the server and the radius (3.17.1-1), and I have discarded this doing some other tests (changing the secret on the radius shows up a message on the server telling that the secret is not valid).

So, doing some other tests I have found a problem with the password decryption on the radius; it seems that the password is not been decrypted correctly. I have modified the "decode_password" subroutine on Radius.pm, uncommenting the following lines:

    # Uncomment this if you really want to see whats really
    # in the password. Useful for finding obscure bugs
    my $pwdump = Radius::AttrVal::pclean($pwdout);
    &main::log($main::LOG_DEBUG, "Decoded password is $pwdump", $self);

and this is what is it showing up on the trace 4 log:

*** Received from 10.0.124.53 port 27601 ....
Code:       Access-Request
Identifier: 108
Authentic:  7<22><216>m<171>zD<191><238>@<181>[zl=<253>
Attributes:
        User-Name = "frcm"
        User-Password = P<191><5><142>2<222>2_<156><230><224>/.p<171><242>
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "sshd"
        NAS-Port = 26576
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "172.16.178.76"

Tue Mar 22 09:19:00 2011: DEBUG: Handling request with Handler 'NAS-Identifier="sshd"'
Tue Mar 22 09:19:00 2011: DEBUG:  Deleting session for frcm, 127.0.0.1, 26576
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* uVf<204><1>w<227>-<190>V..<15>
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL: SERVERS
Tue Mar 22 09:19:00 2011: DEBUG: Query is: 'SELECT password FROM usuarios WHERE username='frcm'':
Tue Mar 22 09:19:00 2011: ERR: Execute failed for 'SELECT password FROM usuarios WHERE username='frcm'': Lost connection to MySQL server during query
Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL looks for match with frcm [frcm]
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* uVf<204><1>w<227>-<190>V..<15>
Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL REJECT: Bad Password: frcm [frcm]
Tue Mar 22 09:19:00 2011: DEBUG: AuthBy SQL result: REJECT, Bad Password
Tue Mar 22 09:19:00 2011: INFO: Access rejected for frcm: Bad Password
Tue Mar 22 09:19:00 2011: DEBUG: Packet dump:
*** Sending to 10.0.124.53 port 27601 ....
Code:       Access-Reject
Identifier: 108
Authentic:  7<22><216>m<171>zD<191><238>@<181>[zl=<253>
Attributes:
        Called-Station-Id = "<198>* uVf<204><1>w<227>-<190>V..<15>"
        Reply-Message = "Bad Password"



If I use the radpwtst utility on the server where I am trying to authenticate from using pam_radius, the password is correctly decoded and is showed up correctly on the trace4.

So, my question is: does some else have encountered this problem?

Regards.


________________________________

--------------------------------------------------------------------------------

Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su destinatario. Si usted ha recibido este mensaje por error, no debe revelar, copiar, distribuir o usarlo en ning?n sentido. Le rogamos lo comunique al remitente y borre dicho mensaje y cualquier documento adjunto que pudiera contener. El correo electr?nico via Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepci?n. JAZZTEL no asume responsabilidad por estas circunstancias. Si el destinatario de este mensaje no consintiera la utilizaci?n del correo electr?nico via Internet y la grabaci?n de los mensajes, rogamos lo ponga en nuestro conocimiento de forma inmediata.Cualquier opini?n expresada en este mensaje pertenece ?nicamente al autor remitente, y no representa necesariamente la opini?n de JAZZTEL, a no ser que expresamente se diga y el remitente est? autorizado para hacerlo.


--------------------------------------------------------------------------------


This message is private and CONFIDENTIAL and it is intended exclusively for its addressee. If you receive this message in error, you should not disclose, copy, distribute this e-mail or use it in any other way. Please inform the sender and delete the message and attachments from your system.Internet e-mail neither guarantees the confidentiality nor the integrity or proper receipt of the messages sent. JAZZTEL does not assume any liability for those circumstances. If the addressee of this message does not consent to the use of Internet e-mail and message recording, please notify us immediately.Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of JAZZTEL, unless otherwise specifically stated and the sender is authorised to do so.


--------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20110330/5f392246/attachment-0001.html 


More information about the radiator mailing list